May 03, 2007

Taking control of online passwords

So how do you handle the growing nightmare of online passwords? After my Thursday print column on the topic, below, please share your strategies, your disagreements, your deepest personal feelings (about passwords) in the 'Comments' area.

It was when I had to click my third “I forgot my password” link in as many days that I realized I need a Password Strategy.

Until then I had been scraping
by with a battle plan inspired, perhaps, by Custer. I used my ATM
password, family names and birth dates, and my e-mail address in
varying combinations that I tried, but apparently failed, to keep
uncomplicated.

______________________________________________For my daily High Five feature, fast, occasionally funnytakes on five items in the news, go here.______________________________________________

As safety plans go, this
scattershot system was more ADD, the disorder, than ADT, the security
services company. Worse than that, it was seriously jeopardizing my
personal information.

What kind of idiot offers up the same password
that protects his online bank accounts to some cyber-retailer he’s
visiting one time to buy a discount memory card?

The kind of idiot who needs a Password Strategy, which means, ultimately, picking some
password-management software and letting it strengthen your passwords
and do the dirty work of remembering the new, complicated ones it has
come up with. All you have to do is remember the one password that gets
you into the password manager.

Having a Password Strategy
used to mean you were a contestant on Alan Ludden’s game show. Your
strategy was to voice meaningful clues in a portentous tone, then raise
your eyebrows at your partner expectantly.

Then came ATM cards. Dial-in
voice mail. Telephone banking. Their little codes seemed a pain at the
time, but what an idyll it looks like from today’s perspective.

If you’re even a little bit
digitally inclined, you’ve got password-protected accounts for at least
some of the following: Amazon, eBay, your bank’s Web site, Best
Buy.com, BestBuy.com. the Bloglines RSS reader.

You’ve got passwords for
accessing your office e-mail from home and your home e-mail from the
office, your credit card companies, mortgage company, and home equity
company. And I could name a dozen more.

All of these services make
life more convenient -- except for the potential Achilles’ Hheel of
security and the definite Achilles’ Hheel of password management.

So what to do?

First, get your home wireless
network under strong security, with one of those ridiculously long
letter-number keys. If you haven’t done that yet - if you’re one of the
people whose network anyone in the neighborhood (or a passing car) can
access - fix it immediately. Small bother, big benefit.

Don’t try to compensate for
your security hodgepodge by keeping track of your sundry passwords in a
Microsoft Word file labeled - drum roll, please - “passwords.” When I
mentioned that I do this to William Yerazumis, an expert on e-mail
security, he said, in exactly these words, “Slap, slap, slap, slap.
Just mail ’em out. Save some time.”

Most important is to make
stronger passwords. Instead of what PC Magazine identifies as the 10
most common (and easily hackable) online passwords - including
“letmein,” “abc123” and “qwerty” - a strong password mixes words and
numbers in unlikely combinations.

A strong password is also a
long password. Writes computer expert John Pozadzides, in a blog
posting (onemansblog.com) titled “How I’d Hack Your Weak Passwords,”
“Pay particular attention to the difference between using only
lowercase characters and using all possible characters (uppercase,
lowercase, and special characters - such as @#$%ˆ&*). Adding just
one capital letter and one asterisk would change the processing time
for [a computer program to hack] an 8 character password from 2.4 days
to 2.1 centuries.”

That’s assuming, he adds, that you don’t use any common words in the password.

“Probably the safest thing to
do is go to a password generator site and have the site generate a
password for you,” says Erik Rhys, a senior editor at PC Magazine.
(Google “password generator.”)

Do this right away for your
most valuable sites, including banks, credit cards, PayPal and, don’t
forget, e-mail. The e-mail account often can lead people back into your
other accounts, especially if you’re prone to click “I forgot my
password.”

To manage your new,
non-repeating, complex passwords, you’ll need to trust the computer.
Some password-management programs have been around for years, with
solid security records.

I’m planning to play around
with three, each of which would require me to remember only one
password to access all my others. The most attractive is PassPack,
because it resides online. I wouldn’t have to load software on every
computer I use or lug around a USB drive containing password data.

Another manager that seems
worth checking out is RoboForm, software that not only handles your
passwords but generates them for you and safely, securely, fills in
online forms. It costs $30 for full functionality.

And then there’s KeePass, a free software tool that seems to be highly regarded for password management.

I’ll report back on what I find, but at minimum, any of these has got to be better than “passwords.doc.”

Comments

I have stored them in couple of places where I have them written down that are portable and nondescript and that I move periodically (never near my computer). The number of places to check when I can't remember are finite enough that I usually don't have problems.

I never store password information on or near to documents that are related to "real" stuff (banking, shopping, etc.) If it has to do with accessing online reading materials (eg, newspaper logins), I'm less stringent.

I never repeat a password and always generate word and number combinations that meet at least middle level security recommendations.

I subscribe to about 60 English speaking publication around the world. In their e-mail folder I have a sub-folder named for a reminder of what my username and password are. I also keep my non-news e-mails from these publications in this folder.

The problem with using a password management system is that I work from multiple computers, one at work and two at home. If I change a password (which some sites require on a routine basis), I have to remember to update it in three places. Uh, uh.

Since different sites have different requirements for login IDs and passwords, I have two or three I normally use for each format requirement (6+ characters, 8 characters including at least one number, etc.). I can remember what these are, but not necessarily which one goes with what site. Therefore, I keep a list of sites with a code indicating which login and password correspond to that site (actually, it's a series of lists; they're not all in the same place). The ONLY place any of the logins and passwords are written down is on a sheet of paper in a sealed envelope in my father's safe deposit box, and that's only so someone can take care of things should I happen to depart this mortal coil.

By the way, I believe it was Roger Grimes, Infoworld's security columnist, who demonstrated mathematically to his readers that a longer password is more important than mixing in different cases and numbers. Those help, of course, but once a password reaches a certain length (14 characters, if I remember correctly) it greatly exceeds the ability for a password generator to hit on the correct password at random.

I'd like to offer two comments to the people who design sites requiring passwords:

1. A pox on those of you who disable an account after a single failed login attempt. You should recognize that every computer user on the planet (for practical purposes) has this password management problem, and give us a chance to remember the right one.

2. It would help if, when someone enters the wrong password, you could display the format requirements. That would instantly tell me, for one, which passwords I should be trying.

I hate it when I cant remember my login name. Some want your email address and others want numbers and others want you to set up one.
I have home email, work email, almost all my utilities set up online, message boards, bank accounts, credit cards, online shopping and you can't forget this site (Chicago tribune!)
All very aggravating- and I consider myself to have a good memory!

The "put all the eggs in one basket" solution is to keep all the passwords in a single encrypted file.

Of course, if you use multiple computers then you'll need to keep at least one copy of this master file on a portable device, and, you'll have a solution for synchronizing multiple copies.

A similar solution can be used to keep track of credit card numbers, and other data that you'd prefer to keep private.

Anyway, I'm somewhat surprised that I haven't seen a commercial offering that solves this problem by combining (all in a simple, elegant, easy-to-use product) a simple database combined with strong encryption. Or, perhaps it's already been done?

I use a small address book to keep passwords and important information. Easy to use.

JOHNSON REPLY: But where's your back-up? That's my fear about the paper solutions proposed, including one reader's 5-by-7 index cards in a desk drawer. I'm not so worried about a thief breaking in and stealing computer password info, rather than, you know, jewelry.

I use paid-for software called Password Vault, which I like. If you have more than one computer, it's easy to sync via a USB memory stick. I can even run it directly on any other computer (Windows, Mac, or Linux) that I can poke my USB memory into.

I create a password using a phrase that only would make sense to me. For example: I have three chairs, one brown two gree. This is describing the furniture in my living room. So the password is: Ih2c1b2g. I have three phrases like this, and use them for all of my passwords. Works great!

I use a Palm Treo smartphone (upgrade from various previous Palm devices with the advantage that I don't need a separate cell phone), and a Palm application called "DataShield" which is a password protected database to store all of my other passwords. Only one password to remember - if I know that one, I can look the others up! The database has grown to over 200 records, so I can't imagine trying to remember the username/password/security questions/etc. for any of the multitude of web sites that I visit without this tool.

I have two passwords that I reuse over and over. Probbly not a good idea, but I never use a public computer and the passwords are not easily identifiable. What is more of a challenge to me are UserIDs. I have a couple that I often use, but because my name is fairly common they often will not work.

SplashData (http://www.splashdata.com/) offers a password program (SplashID) that works on your PC or portable device. I've had it on my Palm for years.

It keeps track not only of web logins and passwords, but credit card info, email accounts, frequent flyer info, insurance numbers, software serial numbers... and so on. Works on Palm, Pocket PC, Smartphone, Symbian UIQ, Blackberry, Windows, and Mac. If I were to lose my wallet this afternoon, within 10 minutes I could be on the phone cancelling every card, contacting the banks, etc. because all that info is in there.

I'm not affiliated with SplashData in any way -- just an EXTREMELY happy user of the product for several years, and currently keeping track of over 250 separate items with it. One just has to remember the password to get into the SplashID program, and access what you need from there.

If you use PassPack, and their database is hacked, there goes your security. Why would I want to give someone else all of my passwords "for safe keeping" - I store mine in a password protected program... of course, I'm not telling what.

I have two strategies. (1) I take a multi-﻿syllable word and I insert the current year, i.e., "tur2007tle" Another strategy is use my favorite combination lock numbers and insert letters between the nos, i.e., "2a4b27".

First- thanks for the mention! I'm a PassPack founder and can't wait to read the follow up report. In the meantime, I'd like to adress a few of the comments made:

@Gene
Please be careful, your email folder can be very easily read by malware, or even just someone who sits down at your computer. It's like hiding your key under the doormat - everyone knows that's the first place to look, especially thieves.

I do agree with your two final suggestions for developers though. Good input, thanks.

@ Peter Chrzanowski
"Or perhaps it's already been done?" >> Yes, that's what PassPack does: it offers an online storage that you can access 24/7 (no syncing needed) from any computer with an internet connection. It uses strong AES encryption (US Government approved). PassPack essentially stores your encrypted data for you (but can't read it), and it gives you an easy-to-use way to navigate it, find what you need quickly, and get logged in fast.

You're also on the mark about being useful for all sorts of information, you can store whatever you want in your account: logins, passwords, frequent flyer numbers, registration codes, software keys, notes or even just private links.

@Deb,
Let me explain how PassPack works - we've built it so that even if a hacker breaks in a steals all the data, it would be useless to him. Here's an paraphrasing from our Security Overview:

Data is encrypted and decrypted in your *browser* with what we call a Packing Key that you choose yourself when you sign up. Your Packing Key (which only you know) never gets sent or saved to the server. Without it, the algorithms are incapable of unpacking your data.

So let's suppose a hypothetical "bad-guy" gets into our servers, all he'd find would be a bunch of illegible data (Not even PassPack can read your data). The worst he can do is delete it all - and, of course, we've got plenty of backups.

So what exactly is wrong with a Word doc (with a strong password itself) that keeps my various user ID and password information for hotel, frequent flyer, online credit card account, PayPal, etc., etc.? Someone needs to compare the risk of that approach against the risk of being struck by lightning, a meteor hitting the earth, George Bush admitting he was wrong, etc. Security people should back up their offerings with objective analyst reports about relative risk/intensity of impact info. Give me a Gartner Group (or equivalent) analysis.

JOHNSON REPLY: I agree that the odds of someone getting into your system and sorting through your words docs to find passwords are slim. But they rise astronomically when you call that file, as I have done, "Passwords."

I have three root passwords that I use: one for benign sites such as the Trib, one for secure sites but don't use credit card info, and one for personal online banking/credit card usage. I have the same system at work.

For instance, I would use peaxxx for the Trib; RSvp123*xxx for secure sites, and NrSxxx*1X& for the most secure sites.

I keep track of them in a WordPerfect password protected document with an innocuous title. (Word also has password protection.) I don't use the entire password there either, just something that will help me remember. However, after reading these comments about password management programs, I'm ready to check them out!

I have an Excel spread sheet that is not named password, has a password itself and is on my jump drive a couple levels in a completely un-related folder. I don't keep anything else sensitive on the jump drive so they can't get anything else from it. (mostly pictures I want to take to work)

My spread sheet includes the name of the site, the site URL, the login ID and password.

I occasionally transfer it to my hard drive in an un-likely location as a back up with the date I moved it.

I use it mostly at work where every software I use has a different ID and most require a password change every 45 days.

I find having the URL helps me remeber what sites I have actually signed up for something on. Otherwise I can never remember my hotel and airline member numbers when I make reservations. Plus it keeps my favorite web sites all in one place for use on multiple computers.

I also use a 2nd rarely checked email address for things you have to sign up for to access the information (ie realestate web sites, news papers). This way if a hacker does break into that email all they get are not sensetive web sites.

I read different online papers from around the world and am always annoyed at having to register. An easily remembered password for newspaper sites such as this one that hassle users to register before displaying the stories is the one word that always pops into my mind when the registration box appears: registrationsuks